Debian Security Advisory DSA-2421-1 email@example.com http://www.debian.org/security/ Moritz Muehlenhoff February 29, 2012 http://www.debian.org/security/faq
Package : moodle Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4308 CVE-2011-4584 CVE-2011-4585 CVE-2011-4586 CVE-2011-4587 CVE-2011-4588 CVE-2012-0792 CVE-2012-0793 CVE-2012-0794 CVE-2012-0795 CVE-2012-0796
Several security issues have been fixed in Moodle, a course management system for online learning:
CVE-2011-4308 / CVE-2012-0792
Rossiani Wijaya discovered an information leak in mod/forum/user.php
MNET authentication didn't prevent a user using "Login As" from jumping to a remove MNET SSO.
Darragh Enright discovered that the change password form was send in over plain HTTP even if httpslogin was set to "true".
David Michael Evans and German Sanchez Gances discovered CRLF injection/HTTP response splitting vulnerabilities in the Calendar module.
Stephen Mc Guiness discovered empty passwords could be entered in some circumstances.
Patrick McNeill that IP address restrictions could be bypassed in MNET.
Simon Coggins discovered that additional information could be injected into mail headers.
John Ehringer discovered that email adresses were insufficiently validated.
Rajesh Taneja discovered that cookie encryption used a fixed key.
Eloy Lafuente discovered that profile images were insufficiently protected. A new configuration option "forceloginforprofileimages" was introduced for that.
For the stable distribution (squeeze), this problem has been fixed in version 1.9.9.dfsg2-2.1+squeeze3.
For the unstable distribution (sid), this problem has been fixed in version 1.9.9.dfsg2-5.
We recommend that you upgrade your moodle packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/
Mailing list: firstname.lastname@example.org